Remediation Guidance
A prioritized upgrade plan that fixes the most vulnerabilities with the fewest code changes, organized into actionable categories.
Enterprise feature
Available on: Free (Limited), Business, Enterprise.
Overview
The Remediation Guidance report gives developers a prioritized vulnerability remediation plan for a project or release group. It focuses on resolving the most impactful security issues with the least refactor effort.
The report organizes recommendations into five categories, each with a distinct priority and strategy:
- Quick Wins
- High Priority Fixes
- Low Priority Fixes
- Outdated Dependencies
- Malicious Dependencies
Note
The primary difference between this report and the remediation guidance shown on individual security issues is scope. This report calculates remediations in the context of all active vulnerabilities and upgrade recommendations across the entire project, including any vulnerabilities a given upgrade might introduce. Individual issue guidance covers only the best remediation path for a specific CVE or vulnerability.
Generating the report
Open Reports on a project or release group and select Remediation Guidance from the sidebar, then choose a format and generate. Remediation Guidance requires security to be enabled for your organization and is not available for binary-only projects. For release groups, it is available when at least one project in the release group is not a binary project.
How recommended upgrades work
FOSSA's remediation algorithm accounts for vulnerability ignore rules, vulnerabilities that a potential upgrade might introduce, and remediation metadata aggregated across its knowledge base. The algorithm avoids recommending upgrades that would worsen your overall security posture. If the nearest patch version introduces vulnerabilities of similar or greater severity, FOSSA suggests a safer upgrade path, even if it requires a larger version jump.
Report categories
Quick Wins
Remediation recommendations limited to patch-distance upgrades as defined by semantic versioning. Patch upgrades should not introduce breaking changes, making these the lowest-effort fixes available.

High Priority Fixes
Upgrades prioritized using FOSSA's exploitability prediction algorithm, which flags true-positive security issues most likely to be exploited. The calculation draws on CVSS vectors, exploitability data sources, EPSS probability, and FOSSA's knowledge base.
After flagging high-exploitability issues, FOSSA groups remaining vulnerabilities remediable by the same upgrade, guided by the principle of maximum impact with minimum effort.
Enable the Transitive Vulnerabilities toggle to include indirect (transitive) dependencies that may also be remediated by a given upgrade.
Note
Transitive vulnerability guidance asserts issues that may (but are not confirmed to) be remediated by a direct dependency upgrade. Direct dependency guidance will be remediated with certainty.

Low Priority Fixes
Remaining vulnerabilities that did not meet the High Priority threshold but still satisfy FOSSA's recommendation criteria. These are real vulnerabilities that require remediation, grouped only where the upgrade improves overall security posture.

Outdated Dependencies
Dependencies that are significantly behind the latest release; flagged proactively so teams can address them before a high-priority vulnerability appears in a future version. Which dependencies qualify is determined by your project's outdated dependencies policy. See Quality Policies for configuration details.
Enable the Exclude Vulnerable toggle to limit this category to dependencies that do not currently contain known vulnerabilities.

Malicious Dependencies
Enterprise feature
This functionality is gated behind a feature flag and may not be enabled for your organization by default. Reach out to your account team to request access.
Dependencies identified as malicious and recommended for immediate removal.

Report formats
The Remediation Guidance report is available in three formats:
| Format | Contents |
|---|---|
| Top 5 upgrade recommendations per category | |
| HTML | Top 5 upgrade recommendations per category |
| JSON | Full report including all vulnerability details not included in PDF and HTML outputs |